DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > How Boards Can Prioritize Cybersecurity in Corporate Governance

How Boards Can Prioritize Cybersecurity in Corporate Governance

Too often the board members tasked with making the final call on security measures don't really know all that much about security.

Hakon Olsen user avatar by
Hakon Olsen
·
Apr. 07, 17 · Security Zone · Opinion
Like (0)
Save
Tweet
3.55K Views

Join the DZone community and get the full member experience.

Join For Free

Boards are responsible for the health of the company and its ability to fulfill its mission on behalf of its owners. This is why most boards put a lot of effort into effective risk management with robust processes in place for compliance, financial risks, and M&A activities. What they very often fail to do, is to incorporate robust controls for the cybersecurity of their company’s operations. In fact, a study surveying a large number of board directors show that risk and security are the areas they feel are the most challenging to cope with, yet are also the areas where they feel the strategic threat is lower than many other threats such as financial or compliance risks. This, in spite of the spikes in cyber attacks hitting businesses globally in 2016, and that the average cost of a data breach has been estimated to about 4 million USD (by IBM). The key to understanding both the underestimation of the risk posed by cyber threats and the lack of good processes to follow up cybersecurity risks as a corporate governance activity are both linked to the cybersecurity skills gap – that reaches all the way to the senior leadership and board levels.

022217_1129_HowFileSilo1.jpg

Getting the Cybersecurity Processes in Place

It is not easy to close the skills gap at any level but one should also not underestimate what can be achieved through the use of good practices, educating the staff, and integrating the approach to risk management into the operations of the company.

Where to Find Best Practices?

Cybersecurity has come a long way, and several standards and practice documents exist, ranging from detailed technical requirements to management processes. Building an information security management system is no easy undertaking, but using a risk-based approach and following the same principles that are used for other governance structures help. Making ISO 27001 (an international standard) your basis for information security mangement will put you off to a good start. To get a practical how-to on building up such a system, see this post: How to build up your information security management system in accordance with ISO 27001

Metrics and Context: the Link Between Operations and Strategy

The board can not head into every aspect of security operations, nor does it (typically) have the expertise to dive into all the details. That’s why it is important to develop a robust set of security metrics that can be reported to the board, making sense of both the threat landscape, the context, and the maturity of the company to deter, detect, and deny cyber attacks, as well as to recover from those that inevitably will outsmart your defenses. Developing metrics should be done such that it fits with the greater strategic picture, recognizing that cybersecurity also ties into all of the firm’s operations. Viewing the metric game should thus include the financial perspective (most companies focus a lot on this), the customer perspective (tends to be forgotten in security), the learning and innovation perspective (often done only on the tactical level, not linked to strategy) and the internal process perspective (sometimes dominating, sometimes not existing at all).

In addition to developing metrics, boards should also be kept up to date on the risk context: what are our most valuable data assets and IT infrastructures? How is our standing with respect to hacker interests (scripters? hacktivists? nation states?). Do we have good people management in place, and how does our internal corporate life affect the insider threat? It is the responsibility of the CISO to educate the board enough to make them capable of both asking these questions and understanding why they are as important as understanding the strategic fit in an M&A transaction.

The Compliance Link

Compliance is already on the table, and cybersecurity regulation is taking shape in different jurisdictions. Mapping out regulatory compliance requirements to cybersecurity, as well as data privacy, is key to ensuring compliance in today’s operating environments. In the EU and EEC area, a new regulation is coming into force in 2018 with strict requirements for most businesses dealing with customer data – yet few companies are ready to deal with this. Bringing the cybersecurity domain into the compliance picture is a necessary cornerstone of corporate governance, and for strengthening board focus. For an overview of new requirements to businesses from the General Data Protection Regulation (GDPR), see here: What does the GDPR (General Data Protection Regulation) mean for your company’s privacy protection and cybersecurity?

The People Factor

Boards are no better than the people sitting on them; this is why getting technical competence on boards should be a major priority for stockholders. We are living in the age of digitalization, of machine learning, and of cyber threats: believing that we can deal with these without technical competence also on the top of governance is simply superstition.

Also, for the processes to work, it is important that everyone has a feel for what secure behaviors are, and what constitutes risky behaviors (without rewards). Driving security awareness in the corporate culture is also a key factor for directors, and overseeing this as part of risk governance should be a board priority. Almost every breach starts with a social engineering campaign – getting your people on the right side of the knowledge gap is probably the best investment you can make after turning on your firewalls, autopatching your computers, and removing an end-user’s admin rights.

To drive awareness in an effective manner, make sure it is suitable for its audience, and that it is not a one-off e-learning module to click through. Building a security aware culture is a process of change, not a simple training event: When does cybersecurity awareness training actually work?

Take-Away Points

These are your talking points from this article – bring them to your next board meeting or coffee break at work:

  • Boards lack competence in cybersecurity, causing inefficient governance, and underestimation of risk exposure.
  • To build better processes, start with an information security management system. You do not have to reinvent the wheel, ISO 27001 is your starting point for best practice.
  • Choose your security metrics wisely, and build them into the overall strategy map covering financials, customers, organization and learning, and internal processes – or whatever perspectives your operations are built up around.
  • Make sure you understand your compliance requirements when it comes to cybersecurity. For the EU the GDPR is an essential starting point.
  • The make governance processes work you need all your people on the right side of the competence gap: make sure everybody knows and understands how to deal with cyber threats in their current roles in the company.

Insider Extra: slide deck with implementation tips for your corporate governance processes.

Corporate governance Information security Information security management Security management

Published at DZone with permission of Hakon Olsen, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Implementing HIPAA Technical Safeguards in Your API Platform
  • Artificial Intelligence (AI) And Its Assistance in Medical Diagnosis
  • Internal Developer Platform in Plain English
  • Classification of Neural Networks in TensorFlow

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo